[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Recipe for 'Thin Domain 0' request

William (Andy) Smith wrote:

One particularly nasty thought is to have Host 1 and Host 2 each serve
'firewall' guest domains. We have one routing IP outside of our 'public' IP
network, and our provider will allow us a second routing IP. I would need to
prove the theory that I can isolate the NIC device and its traffic from
Domain 0 and all other domains in a firewall application.
I can attest that this works quite well. I have a domU acting as a router/firewall, and aside from having to hack the bridging script to support 3 nics, it worked without a problem.

The machine has 3 nics (internet, dmz, internal), and the dom0 boots up with an IP address only on the internal nic (eth1, eth2, xen-br1, and xen-br2 are all "up", but with no address assigned. The router domU is given access to all 3 nics:
vif = [ 'mac=cc:cc:cc:cc:cc:19, bridge=xen-br0', 'mac=cc:cc:cc:cc:cc:20, bridge=xen-br1', 'mac=cc:cc:cc:cc:cc:21, bridge=xen-br2' ] while all the other domU's are only given access to the dmz nic. The router domU then runs pppoe (for DSL), and standard iptables natting and routing using the shorewall package, though any iptables based routing approach should work fine.

This has been working quite stably for me for a while, starting with xen 2.0.4, then 2.0.5, and right now, unstable 3.0 as of a week or so ago.

Let me know (on or off list) if you have any questions about this setup.


Xen-users mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.